Tools

"... Global networking has brought with it both new opportunities and new security threats on a worldwide scale. Since the Internet is inherently insecure, secure cryptographic protocols and a public key infrastructure are needed. In this paper we introduce a protocol component architecture that is well ..."

Global networking has brought with it both new opportunities and new security threats on a worldwide scale. Since the Internet is inherently insecure, secure cryptographic protocols and a public key infrastructure are needed. In this paper we introduce a protocol component architecture that is well suited for the implementation of telecommunications protocols in general and cryptographic protocols in particular. Our implementation framework is based on the Java programming language and the Conduits+ protocol framework. It complies with the Beans architecture and security API of JDK 1.1, allowing its users to implement application specific secure protocols with relative ease. Furthermore, these protocols can be safely downloaded through the Internet and run on virtually any workstation equipped with a Java capable browser * . The framework has been implemented and tested in practice with a variety of cryptographic protocols. The framework is relatively independent of the actual crypto...

"... The dawning of the 21st century has seen unprecedented growth in the number of wireless users, applications, and network access technologies. This trend is enabling the vision of pervasive, ubiquitous computing where users have network access anytime, anywhere, and applications are location-sensitiv ..."

The dawning of the 21st century has seen unprecedented growth in the number of wireless users, applications, and network access technologies. This trend is enabling the vision of pervasive, ubiquitous computing where users have network access anytime, anywhere, and applications are location-sensitive and contextaware. To realize this vision, we need to extend network connectivity beyond private networks, such as corporate and university networks, into public spaces like airports, malls, hotels, parks, arenas, etc. -- those places where individuals spend a considerable amount of their time outside of private networks.

"... We consider the problem of overcoming (Distributed) Denial of Service (DoS) attacks by realistic adversaries that have knowledge of their attack's successfulness, e.g., by observing service performance degradation, or by eavesdropping on messages or parts thereof. A solution for this problem ..."

We consider the problem of overcoming (Distributed) Denial of Service (DoS) attacks by realistic adversaries that have knowledge of their attack&apos;s successfulness, e.g., by observing service performance degradation, or by eavesdropping on messages or parts thereof. A solution for this problem in a high-speed network environment necessitates lightweight mechanisms for differentiating between valid traffic and the attacker&apos;s packets. The main challenge in presenting such a solution is to exploit existing packet filtering mechanisms in a way that allows fast processing of packets, but is complex enough so that the attacker cannot efficiently craft packets that pass the filters. We show a protocol that mitigates DoS attacks by adversaries that can eavesdrop and (with some delay) adapt their attacks accordingly. The protocol uses only available, efficient packet filtering mechanisms based mainly on (addresses and) port numbers. Our protocol avoids the use of fixed ports, and instead performs `pseudo-random port hopping&apos;. We model the underlying packet-filtering services and define measures for the capabilities of the adversary and for the success rate of the protocol. Using these, we provide a novel rigorous analysis of the impact of DoS on an end-to-end protocol, and show that our protocol provides effective DoS prevention for realistic attack and deployment scenarios.

...itable for all organizations. Finally, the most effective way to filter out offending traffic is using secure source authentication with message authentication codes (MACs), as in IP security (IPsec) =-=[3]-=-. However, this requires computing a MAC for every packet, which can induce significant overhead and, thus, this approach may be even more vulnerable to DoS attacks. Specifically, it is inadequate for...

"... Abstract — Internet signaling protocols establish, maintain and remove state along the data path. Next-generation signaling protocols design must meet the scaling requirements imposed by the various tasks of the Internet signaling applications, such as resource reservation and middlebox configuratio ..."

Abstract — Internet signaling protocols establish, maintain and remove state along the data path. Next-generation signaling protocols design must meet the scaling requirements imposed by the various tasks of the Internet signaling applications, such as resource reservation and middlebox configuration, and to meet the demand for general functionality in signaling protocols, including strong security, reliability, congestion control, support for various signaling purposes and message sizes, and efficient support for mobility. This paper presents a generic signaling architecture, the Cross-Application Signaling Protocol (CASP) and describes how it supports efficient and secure signaling in IP mobility scenarios. In this approach, the signaling functionality is splitted into two layers: a generic messaging layer which provides the generic functionality for message delivery, and a client layer consisting of a next-hop discovery client and any number of client protocols which perform the actual signaling tasks. The essential mechanisms required to support mobility are: (1) a session identifier uniquely selected by the initiator and effective discovery of the cross-over node; (2) a branch identifier incrementally assigned for the new branch and efficient release of state in the abandoned branch; (3) ensuring discovery messages are delivered exactly following the path that mobile IP packets are encapsulated; (4) effective hop-by-hop authentication and reauthorization provided by the messaging layer, non hop-by-hop security for signaling clients and denial-of-service protection in the discovery client. I.

...to the separation of the discovery mechanism from signaling messages and the change from end-to-end addressing to hop-by-hop addressing in CASP, existing security protocols such as TLS [11] and IPsec =-=[13]-=- can be used without modification. These protocols support a number of different authentication and key exchange protocols (e.g. IKE[14]) with different properties. Security for individual client data...

"... At the Center for Information Technology Integration, we are experimenting with algorithms and protocols for building secure applications. In our security testbed, we have modified VIC, an off-the-shelf videoconferencing application, to support GSS, a generic security interface. We then layered thes ..."

At the Center for Information Technology Integration, we are experimenting with algorithms and protocols for building secure applications. In our security testbed, we have modified VIC, an off-the-shelf videoconferencing application, to support GSS, a generic security interface. We then layered these interfaces onto a smartcard-based key distribution algorithm and a fast cipher. Because these components are accompanied by rigorous mathematical proofs of security and are accessed through narrowly-defined interfaces, we have confidence in the strength of the system’s security.

...tations in Internet infrastructure, such as secure naming and routing, which are not to be found except in isolated prototypes. Progress is being made in securing the essential fabric of the Internet =-=[3, 4, 5]-=-, but even these efforts may fail to meet the security needs of the most stringent distributed applications, which must rely on end-to-end methods to satisfy their exceptional security requirements. S...

"... : CORBA based middleware has been used for the last couple of years mainly for bringing the old legacy applications into the web age, but now this role has begun to change, as new applications are built on top of it. Together with this change, legacy based access control along with other security fu ..."

: CORBA based middleware has been used for the last couple of years mainly for bringing the old legacy applications into the web age, but now this role has begun to change, as new applications are built on top of it. Together with this change, legacy based access control along with other security functionality has to be converted from the centralized mainframe world into the distributed Internet world. This change needs solutions which are originally designed for distributed environments. Among these solutions are SPKI authorization certificates defined by the IETF working group. In this paper, we present a way of implementing authorization in CORBA based distributed applications with SPKI certificates. We discuss the potential advantages of this approach compared with traditional access control list based solutions and also describe an architecture which we have implemented in our project. 1. INTRODUCTION The powerful communications infrastructure provided by the Internet has for t...

...nts situated on separate physical machines is encrypted and protected against unauthorized modifications. The easiest way of performing this is to use IIOP over SSL, but other solutions such as IPSec =-=[13]-=- could also be used if they are supported by the environment. 6.1 Adding certificates to the Current object During the initial start up procedure of the client application the client’ s SPKI certifica...

"... Abstract — Satellites are expected to play an increasingly important role in providing broadband Internet services over long distances in an efficient manner. Future networks will be hybrid in nature- having terrestrial nodes interconnected by satellite links. Security is an important concern in suc ..."

Abstract — Satellites are expected to play an increasingly important role in providing broadband Internet services over long distances in an efficient manner. Future networks will be hybrid in nature- having terrestrial nodes interconnected by satellite links. Security is an important concern in such networks, since the satellite segment is susceptible to a host of attacks including eavesdropping, session hijacking and data corruption. In this paper we address the issue of securing communication in satellite networks. We describe the different kinds of hybrid network topologies considered for deployment. We discuss various security attacks that are possible in these networks, and survey the different solutions proposed to secure communications in the hybrid networks. We point out important drawbacks in the various proposed solutions, and suggest a hierarchical approach to add security to the hybrid networks. I.

...orks, to fix well-known security holes in satellite networks. Several proposals for data confidentiality and authentication in satellite networks call for use of the Internet Security Protocol, IPSEC =-=[6]-=-, which has been widely adopted by the Internet Engineering Task Force (IETF) for security at the network layer. IPSEC has two variants: the Authentication Header (AH) [7], which provides integrity pr...

"... This paper describes the design and implementation of a secure management protocol for the management of distributed applications. The protocol is a modified use of the ISO CMIP protocol, with additional mechanisms and behaviour to provide the following security services: # Mutual authentication of ..."

This paper describes the design and implementation of a secure management protocol for the management of distributed applications. The protocol is a modified use of the ISO CMIP protocol, with additional mechanisms and behaviour to provide the following security services: # Mutual authentication of communicating parties. Both parties can prove to each other that they are who they claim to be by the exchange of signed credentials.

... bodies such as the ITU and ISO concerning the formulation of security recommendations for network and distributed systems security. 4.1.1 The Internet community As well as the work for securing IPv6 =-=[15, 16, 17]-=-, the IETF IPSEC working Group have produced an Internet Draft describing the management of security information [10]. The IETF work also 5 addresses similar threats to the ones listed as T1 to T7. Of...